{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-50675","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-12-09T01:26:45.991Z","datePublished":"2025-12-09T01:29:27.926Z","dateUpdated":"2026-05-11T19:23:36.334Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:23:36.334Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\narm64: mte: Avoid setting PG_mte_tagged if no tags cleared or restored\n\nPrior to commit 69e3b846d8a7 (\"arm64: mte: Sync tags for pages where PTE\nis untagged\"), mte_sync_tags() was only called for pte_tagged() entries\n(those mapped with PROT_MTE). Therefore mte_sync_tags() could safely use\ntest_and_set_bit(PG_mte_tagged, &page->flags) without inadvertently\nsetting PG_mte_tagged on an untagged page.\n\nThe above commit was required as guests may enable MTE without any\ncontrol at the stage 2 mapping, nor a PROT_MTE mapping in the VMM.\nHowever, the side-effect was that any page with a PTE that looked like\nswap (or migration) was getting PG_mte_tagged set automatically. A\nsubsequent page copy (e.g. migration) copied the tags to the destination\npage even if the tags were owned by KASAN.\n\nThis issue was masked by the page_kasan_tag_reset() call introduced in\ncommit e5b8d9218951 (\"arm64: mte: reset the page tag in page->flags\").\nWhen this commit was reverted (20794545c146), KASAN started reporting\naccess faults because the overriding tags in a page did not match the\noriginal page->flags (with CONFIG_KASAN_HW_TAGS=y):\n\n  BUG: KASAN: invalid-access in copy_page+0x10/0xd0 arch/arm64/lib/copy_page.S:26\n  Read at addr f5ff000017f2e000 by task syz-executor.1/2218\n  Pointer tag: [f5], memory tag: [f2]\n\nMove the PG_mte_tagged bit setting from mte_sync_tags() to the actual\nplace where tags are cleared (mte_sync_page_tags()) or restored\n(mte_restore_tags())."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/arm64/kernel/mte.c","arch/arm64/mm/mteswap.c"],"versions":[{"version":"69e3b846d8a753f9f279f29531ca56b0f7563ad0","lessThan":"918002bdbe4328c8c0164a22e8ebf2384b80dc23","status":"affected","versionType":"git"},{"version":"69e3b846d8a753f9f279f29531ca56b0f7563ad0","lessThan":"749e9fc18b1e1a3f93a9512e91bd7f93002d2821","status":"affected","versionType":"git"},{"version":"69e3b846d8a753f9f279f29531ca56b0f7563ad0","lessThan":"a8e5e5146ad08d794c58252bab00b261045ef16d","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/arm64/kernel/mte.c","arch/arm64/mm/mteswap.c"],"versions":[{"version":"5.14","status":"affected"},{"version":"0","lessThan":"5.14","status":"unaffected","versionType":"semver"},{"version":"5.15.82","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.0.3","lessThanOrEqual":"6.0.*","status":"unaffected","versionType":"semver"},{"version":"6.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.14","versionEndExcluding":"5.15.82"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.14","versionEndExcluding":"6.0.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.14","versionEndExcluding":"6.1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/918002bdbe4328c8c0164a22e8ebf2384b80dc23"},{"url":"https://git.kernel.org/stable/c/749e9fc18b1e1a3f93a9512e91bd7f93002d2821"},{"url":"https://git.kernel.org/stable/c/a8e5e5146ad08d794c58252bab00b261045ef16d"}],"title":"arm64: mte: Avoid setting PG_mte_tagged if no tags cleared or restored","x_generator":{"engine":"bippy-1.2.0"}}}}