CVE-2022-48802: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: fs/proc: task_mmu.c: don't read mapcount for migration entry The syzbot reported the below BUG: kernel BUG at include/linux/page-flags.h:785! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 4392 Comm: syz-executor560 Not tainted 5.16.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:PageDoubleMap include/linux/page-flags.h:785 [inline] RIP: 0010:__page_mapcount+0x2d2/0x350 mm/util.c:744 Call Trace: page_mapcount include/linux/mm.h:837 [inline] smaps_account+0x470/0xb10 fs/proc/task_mmu.c:466 smaps_pte_entry fs/proc/task_mmu.c:538 [inline] smaps_pte_range+0x611/0x1250 fs/proc/task_mmu.c:601 walk_pmd_range mm/pagewalk.c:128 [inline] walk_pud_range mm/pagewalk.c:205 [inline] walk_p4d_range mm/pagewalk.c:240 [inline] walk_pgd_range mm/pagewalk.c:277 [inline] __walk_page_range+0xe23/0x1ea0 mm/pagewalk.c:379 walk_page_vma+0x277/0x350 mm/pagewalk.c:530 smap_gather_stats.part.0+0x148/0x260 fs/proc/task_mmu.c:768 smap_gather_stats fs/proc/task_mmu.c:741 [inline] show_smap+0xc6/0x440 fs/proc/task_mmu.c:822 seq_read_iter+0xbb0/0x1240 fs/seq_file.c:272 seq_read+0x3e0/0x5b0 fs/seq_file.c:162 vfs_read+0x1b5/0x600 fs/read_write.c:479 ksys_read+0x12d/0x250 fs/read_write.c:619 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae The reproducer was trying to read /proc/$PID/smaps when calling MADV_FREE at the mean time. MADV_FREE may split THPs if it is called for partial THP. It may trigger the below race: CPU A CPU B ----- ----- smaps walk: MADV_FREE: page_mapcount() PageCompound() split_huge_page() page = compound_head(page) PageDoubleMap(page) When calling PageDoubleMap() this page is not a tail page of THP anymore so the BUG is triggered. This could be fixed by elevated refcount of the page before calling mapcount, but that would prevent it from counting migration entries, and it seems overkilling because the race just could happen when PMD is split so all PTE entries of tail pages are actually migration entries, and smaps_account() does treat migration entries as mapcount == 1 as Kirill pointed out. Add a new parameter for smaps_account() to tell this entry is migration entry then skip calling page_mapcount(). Don't skip getting mapcount for device private entries since they do track references with mapcount. Pagemap also has the similar issue although it was not reported. Fixed it as well. [shy828301@gmail.com: v4] [nathan@kernel.org: avoid unused variable warning in pagemap_pmd_range()]
AI Analysis
Technical Summary
CVE-2022-48802 is a vulnerability in the Linux kernel related to the handling of memory management information exposed via the /proc filesystem, specifically in the task_mmu.c component. The issue arises from a race condition triggered when reading the /proc/$PID/smaps file concurrently with a MADV_FREE system call that may split Transparent Huge Pages (THPs). The vulnerability manifests as a kernel BUG due to an invalid opcode triggered by an inconsistent state in page reference counting. The root cause is that during the smaps walk, the kernel reads the mapcount of a page, but if MADV_FREE concurrently splits a THP, the page is no longer a tail page, causing the PageDoubleMap() check to fail and triggering a kernel crash. The problem is exacerbated by the fact that the mapcount function does not properly handle migration entries, leading to incorrect reference counting and a race condition. The fix involves modifying smaps_account() to recognize migration entries and skip calling page_mapcount() for them, while still correctly handling device private entries. Additionally, a similar issue in pagemap was fixed preemptively. This vulnerability was discovered and reported by syzbot, an automated kernel fuzzer, and affects Linux kernel versions around 5.16.0-rc6. The vulnerability does not have a CVSS score yet and is not known to be exploited in the wild. The technical details indicate that the flaw can cause kernel panics or crashes when user-space processes read memory mapping information concurrently with memory advice calls that manipulate huge pages.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions, especially those using Transparent Huge Pages and exposing /proc/$PID/smaps information. The impact includes potential denial of service (DoS) due to kernel crashes, which can disrupt critical services, especially in environments relying on Linux servers for infrastructure, cloud services, and container orchestration. While the vulnerability does not directly lead to privilege escalation or data leakage, the induced kernel panic can cause service outages and potential data loss if systems are not properly protected or if critical processes are affected. Organizations with high availability requirements, such as financial institutions, healthcare providers, and critical infrastructure operators in Europe, could face operational disruptions. Additionally, the vulnerability could be leveraged as part of a multi-stage attack to degrade system reliability or to cause targeted disruptions in cloud environments. Since the vulnerability is triggered by specific concurrent operations, exploitation requires local access and specific conditions, limiting remote exploitation but still posing a risk in multi-tenant or shared environments common in European data centers.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched, ideally applying the fix that modifies smaps_account() to handle migration entries correctly. System administrators should audit their Linux kernel versions and plan immediate upgrades or backport patches from trusted sources. For environments where immediate patching is not feasible, mitigating the risk involves restricting unprivileged users from accessing /proc/$PID/smaps or limiting the use of MADV_FREE calls, especially in multi-tenant or containerized environments. Monitoring kernel logs for BUG reports related to page flags or invalid opcode errors can help detect attempts to trigger this vulnerability. Additionally, organizations should review their use of Transparent Huge Pages and consider disabling or tuning THP behavior if it aligns with their performance requirements and security posture. Since the vulnerability requires concurrent operations, implementing strict process isolation and limiting user privileges can reduce the attack surface. Finally, integrating kernel crash monitoring and automated recovery mechanisms will help minimize downtime in case of exploitation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2022-48802: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: fs/proc: task_mmu.c: don't read mapcount for migration entry The syzbot reported the below BUG: kernel BUG at include/linux/page-flags.h:785! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 4392 Comm: syz-executor560 Not tainted 5.16.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:PageDoubleMap include/linux/page-flags.h:785 [inline] RIP: 0010:__page_mapcount+0x2d2/0x350 mm/util.c:744 Call Trace: page_mapcount include/linux/mm.h:837 [inline] smaps_account+0x470/0xb10 fs/proc/task_mmu.c:466 smaps_pte_entry fs/proc/task_mmu.c:538 [inline] smaps_pte_range+0x611/0x1250 fs/proc/task_mmu.c:601 walk_pmd_range mm/pagewalk.c:128 [inline] walk_pud_range mm/pagewalk.c:205 [inline] walk_p4d_range mm/pagewalk.c:240 [inline] walk_pgd_range mm/pagewalk.c:277 [inline] __walk_page_range+0xe23/0x1ea0 mm/pagewalk.c:379 walk_page_vma+0x277/0x350 mm/pagewalk.c:530 smap_gather_stats.part.0+0x148/0x260 fs/proc/task_mmu.c:768 smap_gather_stats fs/proc/task_mmu.c:741 [inline] show_smap+0xc6/0x440 fs/proc/task_mmu.c:822 seq_read_iter+0xbb0/0x1240 fs/seq_file.c:272 seq_read+0x3e0/0x5b0 fs/seq_file.c:162 vfs_read+0x1b5/0x600 fs/read_write.c:479 ksys_read+0x12d/0x250 fs/read_write.c:619 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae The reproducer was trying to read /proc/$PID/smaps when calling MADV_FREE at the mean time. MADV_FREE may split THPs if it is called for partial THP. It may trigger the below race: CPU A CPU B ----- ----- smaps walk: MADV_FREE: page_mapcount() PageCompound() split_huge_page() page = compound_head(page) PageDoubleMap(page) When calling PageDoubleMap() this page is not a tail page of THP anymore so the BUG is triggered. This could be fixed by elevated refcount of the page before calling mapcount, but that would prevent it from counting migration entries, and it seems overkilling because the race just could happen when PMD is split so all PTE entries of tail pages are actually migration entries, and smaps_account() does treat migration entries as mapcount == 1 as Kirill pointed out. Add a new parameter for smaps_account() to tell this entry is migration entry then skip calling page_mapcount(). Don't skip getting mapcount for device private entries since they do track references with mapcount. Pagemap also has the similar issue although it was not reported. Fixed it as well. [shy828301@gmail.com: v4] [nathan@kernel.org: avoid unused variable warning in pagemap_pmd_range()]
AI-Powered Analysis
Technical Analysis
CVE-2022-48802 is a vulnerability in the Linux kernel related to the handling of memory management information exposed via the /proc filesystem, specifically in the task_mmu.c component. The issue arises from a race condition triggered when reading the /proc/$PID/smaps file concurrently with a MADV_FREE system call that may split Transparent Huge Pages (THPs). The vulnerability manifests as a kernel BUG due to an invalid opcode triggered by an inconsistent state in page reference counting. The root cause is that during the smaps walk, the kernel reads the mapcount of a page, but if MADV_FREE concurrently splits a THP, the page is no longer a tail page, causing the PageDoubleMap() check to fail and triggering a kernel crash. The problem is exacerbated by the fact that the mapcount function does not properly handle migration entries, leading to incorrect reference counting and a race condition. The fix involves modifying smaps_account() to recognize migration entries and skip calling page_mapcount() for them, while still correctly handling device private entries. Additionally, a similar issue in pagemap was fixed preemptively. This vulnerability was discovered and reported by syzbot, an automated kernel fuzzer, and affects Linux kernel versions around 5.16.0-rc6. The vulnerability does not have a CVSS score yet and is not known to be exploited in the wild. The technical details indicate that the flaw can cause kernel panics or crashes when user-space processes read memory mapping information concurrently with memory advice calls that manipulate huge pages.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions, especially those using Transparent Huge Pages and exposing /proc/$PID/smaps information. The impact includes potential denial of service (DoS) due to kernel crashes, which can disrupt critical services, especially in environments relying on Linux servers for infrastructure, cloud services, and container orchestration. While the vulnerability does not directly lead to privilege escalation or data leakage, the induced kernel panic can cause service outages and potential data loss if systems are not properly protected or if critical processes are affected. Organizations with high availability requirements, such as financial institutions, healthcare providers, and critical infrastructure operators in Europe, could face operational disruptions. Additionally, the vulnerability could be leveraged as part of a multi-stage attack to degrade system reliability or to cause targeted disruptions in cloud environments. Since the vulnerability is triggered by specific concurrent operations, exploitation requires local access and specific conditions, limiting remote exploitation but still posing a risk in multi-tenant or shared environments common in European data centers.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched, ideally applying the fix that modifies smaps_account() to handle migration entries correctly. System administrators should audit their Linux kernel versions and plan immediate upgrades or backport patches from trusted sources. For environments where immediate patching is not feasible, mitigating the risk involves restricting unprivileged users from accessing /proc/$PID/smaps or limiting the use of MADV_FREE calls, especially in multi-tenant or containerized environments. Monitoring kernel logs for BUG reports related to page flags or invalid opcode errors can help detect attempts to trigger this vulnerability. Additionally, organizations should review their use of Transparent Huge Pages and consider disabling or tuning THP behavior if it aligns with their performance requirements and security posture. Since the vulnerability requires concurrent operations, implementing strict process isolation and limiting user privileges can reduce the attack surface. Finally, integrating kernel crash monitoring and automated recovery mechanisms will help minimize downtime in case of exploitation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-16T11:38:08.896Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ec4522896dcbe61ff
Added to database: 5/21/2025, 9:09:02 AM
Last enriched: 6/30/2025, 9:43:25 PM
Last updated: 7/31/2025, 8:29:42 AM
Views: 14
Related Threats
CVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighCVE-2025-8719: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in reubenthiessen Translate This gTranslate Shortcode
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.