{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-50630","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-12-08T01:14:55.192Z","datePublished":"2025-12-08T01:16:45.555Z","dateUpdated":"2026-05-11T19:22:33.947Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:22:33.947Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm: hugetlb: fix UAF in hugetlb_handle_userfault\n\nThe vma_lock and hugetlb_fault_mutex are dropped before handling userfault\nand reacquire them again after handle_userfault(), but reacquire the\nvma_lock could lead to UAF[1,2] due to the following race,\n\nhugetlb_fault\n  hugetlb_no_page\n    /*unlock vma_lock */\n    hugetlb_handle_userfault\n      handle_userfault\n        /* unlock mm->mmap_lock*/\n                                           vm_mmap_pgoff\n                                             do_mmap\n                                               mmap_region\n                                                 munmap_vma_range\n                                                   /* clean old vma */\n        /* lock vma_lock again  <--- UAF */\n    /* unlock vma_lock */\n\nSince the vma_lock will unlock immediately after\nhugetlb_handle_userfault(), let's drop the unneeded lock and unlock in\nhugetlb_handle_userfault() to fix the issue.\n\n[1] https://lore.kernel.org/linux-mm/000000000000d5e00a05e834962e@google.com/\n[2] https://lore.kernel.org/linux-mm/20220921014457.1668-1-liuzixian4@huawei.com/"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["mm/hugetlb.c"],"versions":[{"version":"1a1aad8a9b7bd34f60cdf98cd7915f00ae892c45","lessThan":"45c33966759ea1b4040c08dacda99ef623c0ca29","status":"affected","versionType":"git"},{"version":"1a1aad8a9b7bd34f60cdf98cd7915f00ae892c45","lessThan":"0db2efb3bff879566f05341d94c3de00ac95c4cc","status":"affected","versionType":"git"},{"version":"1a1aad8a9b7bd34f60cdf98cd7915f00ae892c45","lessThan":"dd691973f67b2800a97db723b1ff6f07fdcf7f5a","status":"affected","versionType":"git"},{"version":"1a1aad8a9b7bd34f60cdf98cd7915f00ae892c45","lessThan":"78504bcedb2f1bbfb353b4d233c24d641c4dda33","status":"affected","versionType":"git"},{"version":"1a1aad8a9b7bd34f60cdf98cd7915f00ae892c45","lessThan":"958f32ce832ba781ac20e11bb2d12a9352ea28fc","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["mm/hugetlb.c"],"versions":[{"version":"4.11","status":"affected"},{"version":"0","lessThan":"4.11","status":"unaffected","versionType":"semver"},{"version":"5.10.150","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.75","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"5.19.17","lessThanOrEqual":"5.19.*","status":"unaffected","versionType":"semver"},{"version":"6.0.3","lessThanOrEqual":"6.0.*","status":"unaffected","versionType":"semver"},{"version":"6.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.11","versionEndExcluding":"5.10.150"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.11","versionEndExcluding":"5.15.75"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.11","versionEndExcluding":"5.19.17"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.11","versionEndExcluding":"6.0.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.11","versionEndExcluding":"6.1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/45c33966759ea1b4040c08dacda99ef623c0ca29"},{"url":"https://git.kernel.org/stable/c/0db2efb3bff879566f05341d94c3de00ac95c4cc"},{"url":"https://git.kernel.org/stable/c/dd691973f67b2800a97db723b1ff6f07fdcf7f5a"},{"url":"https://git.kernel.org/stable/c/78504bcedb2f1bbfb353b4d233c24d641c4dda33"},{"url":"https://git.kernel.org/stable/c/958f32ce832ba781ac20e11bb2d12a9352ea28fc"}],"title":"mm: hugetlb: fix UAF in hugetlb_handle_userfault","x_generator":{"engine":"bippy-1.2.0"}}}}